Google security researcher Tavis Ormandy has set the cat among the “responsible disclosure” pigeons with the release of technical details of a zero-day vulnerability affecting the Microsoft Windows Help and Support Center without giving Microsoft adequate time to prepare a patch.

the issue was reported June 5th, 2010 (a Saturday) and then made public less than four days later. “Public disclosure of the details of this vulnerability and how to exploit it, without giving us time to resolve the issue for our potentially affected customers, makes broad attacks more likely and puts customers at risk,” he said, stressing that the workaround suggested by Ormandy is inadequate.

It is one thing when someone in the general public does this, but when it is Google - that is fairly bad practice. They usually give them 30 days to fix it. With Google prepping a desktop Operating System, it would be wise to remember that old saying, "what goes around - comes around".

I'm sure Google will appreciate the same thing from the community of security researchers when a newly discovered vulnerability in one of their web apps (such as Gmail) is reported to the general public before Google fixes it (say in five days from being reported to Google).

Asked for comment on Ormandy's disclosure activities, a Google spokesperson said: "Tavis acted independently using research conducted in his own time. Tavis' personal views on disclosure don't necessarily reflect the views of his colleagues at Google or Google as a whole."

true_INFP, the point is that no program will ever be 100% secure so long as it's user facing especially with many programmers involved, millions of highly intelligent users specifically looking for flaws... idiots that click everywhere. etc.

Bottom line... he should have given them more time before making a public disclosure. Not cool...

Considering that Microsoft has several long standing known un-patched vulnerabilities that stretch years and years I don't blame Google for not having much faith in MS to act quickly if they just reported it to in the private.

That being said there is a high level of irresponsibility in how they went about this.

With Google prepping a desktop Operating System, it would be wise to remember that old saying, "what goes around - comes around".

true_INFP, it was a reply to your comment of "No need to get overly upset." I took your use of "upset" her to mean "excited" as I don't think anyone here is getting upset but it certainly got me a little excited as Google is the Emperor with no clothes, throwing rocks in his glass house... Also I would with what you'd call "whitehat" hackers and out of the box Mac OS and nearly every linux distro is actually much less secure. Windows when fully patched and using common sense is more secure than Mac or Linux as a desktop environment. The main issues with Windows are A) It's the biggest target B) IE is a nightmare C) the registry system is flawed.

Wow, if they keep doing stuff like this, or allowing their employees to do this (even on their own time) and they're going to have M$ and Apple working together or some other crazy partnerships to work against them.

They need to stop throwing their weight around and get their house in a bit of order IMO, because the way they step on everyone is going to bite them eventually...

Really, don't they get the idea privacy and security are things people actually take seriously and from a business perspective it can be a bad plan to exploit both of those to the extent they do?

They send an e-mail on Sat (weekend) and on Thurs they tell everyone about the flaw? The stinking e-mail likely sat in an inbox until Mon AM, so they effectively gave 3 working days to fix the issue. Nice!

true_INFP, it was a reply to your comment of "No need to get overly upset."

Well, that was in response to J_RaD's series of upper-case sentences (which I considered "overly upset"). The point was that irresponsible disclosure is actually quite common (more than the average Joe suspects). The only thing that is extraordinary in this case is that the irresponsible disclosure was done not by an immature amateur, but by a professional paid by Google.

Irresponsible disclosure is normally tolerated only if the vendor is taking some unreasonably long time to fix the vulnerability (eg. years when it should take several days). In this case, there was no reason to choose irresponsible disclosure.

Glad this guy wasn't in charge of the wifi sniffing he probably would have started 'claim-your-credit-card.com' the only place online you can re-claim your own credit card... Simply enter your full name, address and phone number and we'll remove your credit card number from public view... You know, because that would really teach people a lesson.

If enough security guys sit around and noodle they will find flaws in every system google runs from the inside out.

Well of course, but that is their job after all, to know the security issues of hardware and software on their networks and to minimize their potential negative effects.

I am by no means defending how they went about this but you can't criticize a security guy for looking for security flaws on his network.

When I worked for a development house we had a guy who's job was exactly that. He mostly looked at PHP at the time there were lots of vulnerabilities in it back then, but sometimes he would show up at your workstation and declare that he was uninstalling something until they made it more secure.

He was the same guy that forbid us from using FTP because it was not secure enough a protocol for him.

Public disclosure of the details of this vulnerability and how to exploit it, without giving us time to resolve the issue for our potentially affected customers, makes broad attacks more likely and puts customers at risk

What a CROCK ms. Your vulnerability issue(s!) put customers at risk. Don't blame anyone else for how risky your product(s!) are, you've got too long of a bad record with security for that now. The fact it took a Googler to spot problems with your own software speaks volumes.

If blame is being passed down to the techies who write the code at MS I offer this bad management decision to pass the blame instead of taking responsibility for YOUR own product as a sign the issues are probably leadership related.

what if one of your neighbours told all her mates that the lock on your back door was broken, so you got burgled, and then blamed you for not fixing it. you wouldn't be too happy about that. but that is what this google guy has done.

he's basically told everyone how to commit a crime. you can't get away with that in other walks of life. imagine if he told everyone how to bypass a bank's security system. would that be justified too? there's not much difference.

I am by no means defending how they went about this but you can't criticize a security guy for looking for security flaws on his network

if windows is banned why look any farther? This seems like they did it just to create bad PR for MS, and maybe to get the info into the hands of the wrong people which could make it issue explode causing MS more bad PR.

This seems like they did it just to create bad PR for MS, and maybe to get the info into the hands of the wrong people

More crock, they reported a weakness to webmasters 4 days after they discovered it. The weakness is MS's problem, there isn't any reason to say otherwise just because a Googler spotted it. The issue would be the same no matter who spotted it and that is MS's problem.

edit: I don't know why I'm defending Google, as if they need defending, but the sheer volume of "pile on Google cuz they are the devil" baseless crap spreads like a smelly cloud and I'm tired of breathing it in everywhere, including here.

Is there anyone here posting about how this is solely a M$ issue and Google is perfectly fine not adhering to generally accepted practice who would not be absolutely up in arms, screaming 'lawsuit' at the top of their lungs if someone found a security flaw in your site and posted it here rather than letting you have a reasonable chance to fix it first, because it's your site and you're responsible for the security of it?

I doubt it...

Also, if Google wants to be respected as the leader, the company that follows their 'don't be evil' motto, and standard setter, then they need to do just that and follow standard and generally accepted industry practices, otherwise they're going to get what's going on here, because we all know if M$ did the same thing to them they'd be the ones lashing out in the press.

Someone from Google went deliberately looking for a hole and when they found one they only gave M$ days to fix it... If they had waited 30 days as is standard practice for a fix we probably wouldn't have anything negative to say about them making it public.

All Google had to do was follow the standards and accepted practices, but it seems even that is asking too much of them. Maybe because it's not their system or computer at risk, it's yours...

ADDED: Think about it this way for a minute: Google's not going to lose anything from this. Microsoft is not going to lose anything from this.

It's You, Your Mom, Your Kids, Your Friends, Your Family making this public without a fix puts at risk... Are people really thinking Google's Employee behaved responsibly? Really?

They didn't put M$ or G at risk... G doesn't use it (AFAIK) and you need M$ to run all your software, so they're not going to lose anything, so who's at risk? Everyone who could have the hole Google's Employee found exploited, which happens to be everyone who run Windows...